Is your use of AI GDPR-compliant?
6 quick questions, 60 seconds. You get an honest traffic-light assessment plus the most important next steps. Not a legal opinion — but a solid reality check.
Are real customer or company data entered into free AI tools (e.g. free ChatGPT)?
Are your AI data processed/hosted in the EU?
Do you have a data processing agreement (DPA) with your AI vendors?
Are there clear team rules on which data may go into AI tools — and which may not?
Does your privacy policy mention the use of AI?
Are AI outputs reviewed by humans for important decisions?
Solidly set up
Your basics are right: you watch for EU processing, contracts and clear rules. Keep it up — data protection is an ongoing process, not a one-off checkbox.
- Refresh rules regularly
- Vet new tools briefly before use
- Train staff briefly
We set up AI GDPR-ready from day one — EU-hosted and properly documented.
Improvement recommended
Okay at the core, but there are gaps that can quickly become a risk. A few targeted steps put you on the safe side.
- Ensure EU hosting / business plans
- Sign DPAs with vendors
- Document clear team rules
- Add AI to your privacy policy
We set up AI GDPR-ready from day one — EU-hosted and properly documented.
Action needed
Several critical points open — act soon before sensitive data leaks or you risk a breach. The good news: this is solvable pragmatically.
- Now: no sensitive data in free tools
- Move to an EU-hosted, walled-off solution
- Catch up on DPA & privacy policy
- Introduce binding usage rules
We set up AI GDPR-ready from day one — EU-hosted and properly documented.
Note: This check is not legal advice. It gives initial orientation — for binding statements please consult your data protection officer or a specialist lawyer.